Wizu ("we", "our", or "us") is an independent project developed by Denis Palchuk, based in Poland. This Privacy Policy explains what data we collect, why we collect it, and how it is used when you use the Wizu AI Fitness application ("the App") or visit our website at wizuai.com. If you have questions, contact us at support@wizuai.com.
1 Who This Policy Applies To
Wizu is intended for users 18 years of age and older. We do not knowingly collect data from anyone under 18. If you believe a minor has provided us with personal data, please contact us and we will delete it promptly.
2 Data We Collect
2.1 Account Data
When you create an account, we collect:
- Email address
- Full name
- Date of birth (age verification)
Authentication is handled via Firebase Authentication (Google Firebase).
2.2 Fitness Data
When you connect a Garmin device, we collect workout data including:
- GPS location (latitude/longitude)
- Pace and speed
- Distance
- Elevation
- Workout start and end timestamps
- Garmin watch model, firmware version, and device identifier
We do not share this data with Garmin or any fitness platform.
2.3 Health Data (Special Category — Explicit Consent Required)
The following data constitutes Special Category personal data under Article 9 of the GDPR due to its health-related nature. We only collect and process this data with your explicit, freely given consent, which you grant when connecting your Garmin device in the App:
- Heart rate
- Heart rate variability (HRV) (optional — only if you enable this)
- Sleep data (optional — only if you enable this)
You may withdraw this consent at any time by contacting us at support@wizuai.com or by disconnecting your device. Withdrawal of consent does not affect the lawfulness of processing that occurred before withdrawal.
2.4 User-Provided Context
You may provide additional context used to improve your experience:
- Training goals (text)
- Training plans (uploaded files: TXT, MD, JSON, CSV — up to 5 MB)
- Personal notes (uploaded files or text)
- Messages sent to the AI assistant
2.5 Technical Data
We automatically collect:
- IP address
- iOS device model and app version
- Usage analytics (which features you use)
- Crash logs and error reports
2.6 Waitlist
If you sign up for the waitlist on wizuai.com, we collect:
- Email address
- Approximate location (derived from your IP address)
Waitlist emails are deleted after the public launch of Wizu.
3 How We Use Your Data
Standard personal data (Art. 6 GDPR):
| Purpose | Legal Basis |
|---|---|
| Provide AI-assisted workout insights during and after sessions | Contract performance (Art. 6(1)(b)) |
| Personalise the experience based on your goals and training history | Contract performance (Art. 6(1)(b)) |
| Send service-related communications (account, updates) | Contract performance (Art. 6(1)(b)) |
| Manage pre-launch waitlist and notify you of the App's release | Consent (Art. 6(1)(a)) |
| Send marketing emails (opt-in only) | Consent (Art. 6(1)(a)) |
| Analyse usage to improve the App | Legitimate interest (Art. 6(1)(f)) |
| Diagnose crashes and bugs | Legitimate interest (Art. 6(1)(f)) |
| Comply with legal obligations | Legal obligation (Art. 6(1)(c)) |
Special Category health data (Art. 9 GDPR):
Heart rate, HRV, and sleep data are processed solely on the basis of your explicit consent (Art. 9(2)(a) GDPR). This consent is collected separately in the App when you connect your Garmin device. You may withdraw consent at any time — see Section 7 for details.
Important: If you withdraw consent for health data processing, you will no longer be able to receive AI-assisted insights based on that data, as it is essential to the core functionality of the App.
AI assistance is opt-in. You choose when to request AI-generated insights; we do not process your data automatically without your action.
We do not use your data to train or fine-tune AI models. We do not sell your data to any third party.
4 Third-Party Services
To provide the App, your data is processed by the following services:
| Service | Purpose | Location |
|---|---|---|
| Google Firebase (Auth, Firestore, Storage) | Authentication, data storage | EU data region, operated by Google LLC |
| MongoDB Atlas (AWS Frankfurt) | Workout and session data | AWS Frankfurt data region |
| Vercel (AWS Frankfurt) | Backend processing | Germany (EU) |
| OpenAI | AI-generated insights | USA |
| Google (Gemini) | AI-generated insights | USA |
| Cloudflare Workers | Waitlist email processing | USA |
| Stripe | Payment processing (planned) | USA |
Note on AI providers: When generating insights, relevant workout data and conversation context is transmitted to one or more AI providers. The data shared may include workout metrics (such as pace, distance, and heart rate), training goals, and messages you send to the AI assistant. Only the minimum data required to generate the requested insight is transmitted. These providers are contractually prohibited from using your data to train their models under our agreements with them.
5 International Data Transfers
Your data is primarily stored in the European Union (Germany). Where data is transferred to the USA (e.g., for AI processing), we rely on one or more of the following transfer mechanisms:
- EU-US Data Privacy Framework (DPF): Several of our US providers (including Google, Cloudflare, and Stripe) are self-certified under the DPF, which constitutes a valid adequacy decision under GDPR.
- Standard Contractual Clauses (SCCs): For providers not covered by the DPF, we rely on the European Commission's Standard Contractual Clauses to ensure an equivalent level of data protection.
6 Data Retention
| Data Type | Retention Period |
|---|---|
| Account and profile data | Retained for the lifetime of your account |
| Workout history and fitness data | Retained for the lifetime of your account |
| AI-generated insights and responses | Retained for the lifetime of your account |
| Chat messages | Retained for the lifetime of your account |
| Uploaded files and notes | Retained for the lifetime of your account |
| Waitlist emails | Deleted after the public launch of Wizu |
| Data after account deletion | Deleted within 7 days of account deletion |
| Anonymised aggregated statistics | Retained after account deletion (no longer linked to you) |
All personal data is deleted within 7 days of account deletion. We plan to introduce configurable per-category retention periods in a future release.
7 Your Rights
As a user (and particularly if you are in the EU/EEA), you have the following rights:
- Access: Request a copy of the personal data we hold about you
- Correction: Update your profile, goals, and training data directly in the App
- Deletion: Request deletion of your account and all associated data by emailing support@wizuai.com — deletion is completed within 7 days
- Restriction: Request that we restrict processing of your data in certain circumstances
- Portability: Receive your personal data in a structured, machine-readable format (JSON). This includes your goals, personal notes, uploaded files, and chat history. Email support@wizuai.com to request a data export. For raw workout data (GPS, heart rate), you can also export directly from Garmin Connect
- Objection: Object to processing based on legitimate interests
- Withdraw consent: Withdraw consent for marketing emails at any time
- Withdraw health data consent: Withdraw consent for processing your heart rate, HRV, and sleep data at any time by disconnecting your device in the App or contacting support@wizuai.com. Withdrawal does not affect the lawfulness of processing that occurred before withdrawal
To exercise any of these rights, contact us at support@wizuai.com.
If you are in the EU/EEA, you also have the right to lodge a complaint with your local data protection authority, or with the President of the Personal Data Protection Office (Prezes Urzędu Ochrony Danych Osobowych — PUODO) in Poland, as the lead supervisory authority for Wizu.
8 Data Security
We take the following measures to protect your data:
- All data transmitted between the App and our servers is encrypted via HTTPS/TLS
- Data stored in Firebase is encrypted at rest
- Data stored in MongoDB is encrypted at rest
- Access to user data is restricted to the developer and authorised backend service accounts
- In the event of a data breach likely to result in a high risk to your rights and freedoms, we will notify affected users by email without undue delay, and in accordance with our legal obligations under GDPR (including notifying the Polish supervisory authority, UODO, within 72 hours)
9 Cookies
The wizuai.com website currently uses only essential cookies required for basic functionality.
We plan to add analytics and tracking cookies in the future. When we do, we will introduce a cookie consent banner and update this policy. You will be notified by email of any material changes.
10 AI and Automated Processing
The AI assistant in Wizu provides insights based on your workout data and conversation history. This is always opt-in — you request insights; the App does not make automated decisions that significantly affect you (such as restricting access or changing your account status) without your input.
We do not use your personal data or conversations to train or improve AI models.
11 Children's Privacy
Wizu is not intended for users under 18. We do not knowingly collect personal data from minors. If you believe we have collected data from a minor, please contact us at support@wizuai.com and we will delete it immediately.
12 Changes to This Policy
We may update this Privacy Policy from time to time. When we do, we will notify you by email and update the "Last updated" date at the top of this page.
13 Contact
For any privacy-related questions, data access requests, or deletion requests, please get in touch: